The present invention relates to a network authentication system, method, and program, a service providing apparatus, a certificate authority, and a user terminal and, more particularly, to a network authentication system, method, and program, a service providing apparatus, a certificate authority, and a user terminal which perform authentication by using biometrical information of a user in providing a given service on a communication network.
In a highly information-oriented society, it is increasingly demanded to strictly authenticate a user while keeping affinity with information processing. This demand is particularly high in an information management system which handles important information such as personal information across a communication network, and in a settlement system which performs electronic payment on a communication network.
To meet this demand, researches on network authentication systems for authenticating a user via a communication network on the basis of electronically detected unique biometrical information are being extensively made on the basis of network communication technologies and information processing technologies.
In a conventional network authentication system, as shown in FIG. 14, a user terminal 7 to be accessed by a user detects biometrical information of the user, such as a fingerprint, and a collating unit 71 identifies this biometrical information by collation. A collation result 71A is transmitted as a collation result 7A from a communication apparatus 72 to a service providing apparatus 8 via a communication network 9. In the service providing apparatus 8, a processing unit 82 performs predetermined processing on the basis of a collation result 81A received by a communication unit 81, thereby providing a service.
In another system as shown in FIG. 15, an encryption circuit 74 of a user terminal 7 encrypts a collation result 71A from a collating unit 71 by using an encryption key 73A prestored in a storage circuit 73. The result of encryption is transmitted as communication data 7B. A decryption circuit 84 of a service providing apparatus 8 decrypts this communication data 7B from the user terminal 7 by using a decryption key 83A prestored in a database 83, thereby obtaining a collation result 84A.
Unfortunately, in the former conventional network authentication system (FIG. 14), the service providing-apparatus determines whether to provide a service on the basis of the collation result received directly from the user terminal. Therefore, the collation result can be easily tapped, and any third party can easily pose as the user. This lowers the safety.
In the latter system (FIG. 15), tapping and posing can be prevented because the collation result is encrypted. However, it is necessary to match encryption keys and decryption keys for use in user terminals and service providing apparatuses in one-to-one correspondence with each other. Accordingly, if a plurality of user terminals share one service providing apparatus 8, decryption keys corresponding to encryption keys of all these user terminals must be managed by the service providing apparatus.
To realize safe management of the keys in the service providing apparatus, therefore, the scale of the system increases.
Furthermore, if a plurality of service providing apparatuses are present and each user terminal selectively uses these service providing apparatuses as needed, each user must register a decryption key corresponding to an encryption key of his or her user terminal into all the service providing apparatuses. The key transmission and maintenance require high safety, resulting in an increased system scale and cost.